Access control is required for secure communication in most prior art wireless radio communication systems. As an example, one simple access control scheme might comprise: (i) verifying the identity of a communicating party, and (ii) granting a level of access commensurate with the verified identity. Within the context of an exemplary cellular system (e.g., Universal Mobile Telecommunications System (UMTS)), access control is governed by an access control client, referred to as a Universal Subscriber Identity Module (USIM) executing on a physical Universal Integrated Circuit Card (UICC). The USIM access control client authenticates the subscriber to the UMTS cellular network. After successful authentication, the subscriber is allowed access to the cellular network. As used hereinafter, the term “access control client” refers generally to a logical entity, either embodied within hardware or software, suited for controlling access of a first device to a network. Common examples of access control clients include the aforementioned USIM, CDMA Subscriber Identification Modules (CSIM), IP Multimedia Services Identity Module (ISIM), Subscriber Identity Modules (SIM), Removable User Identity Modules (RUIM), etc.
Traditionally, the USIM (or more generally “SIM”) performs the well-known Authentication and Key Agreement (AKA) procedure, which verifies and decrypts the applicable data and programs to ensure secure initialization. Specifically, the USIM must both (i) successfully answer a remote challenge to prove its identity to the network operator, and (ii) issue a challenge to verify the identity of the network.
However, existing SIM solutions have multiple weaknesses or disadvantages. Firstly, the SIM software is hard-coded to the physical UICC card media; the subscriber needs a new UICC to change SIM operation. This can be detrimental to both MNOs and subscribers; for example, if the authentication procedures are “broken” (e.g., via malicious “hacking” activities), the subscriber must be issued a new UICC, and this process is both time consuming and expensive. Moreover, for reasons described in greater detail subsequently herein, the physical SIM only recognizes a single trusted entity; specifically, the Mobile Network Operator (MNO) that it is configured to communicate with. Thus, there is no current method for incorporating post-deployment programming, except via the existing trusted relationship between the device and the MNO. For example, third-party SIM developers who wish to provide new or upgraded SIM software are stymied both by the inflexibility of physical SIM card media, as well as their inability to establish a trusted relationship between themselves and the subscriber's SIM. This control “bottleneck” greatly limits the number and capabilities afforded to SIM vendors.
Accordingly, new solutions are needed for enabling post-deployment SIM distribution, and modification. Ideally, such solutions should enable the mobile device to receive and implement changes to SIM operation while the device is in the “field” (post-deployment). Moreover, the improved methods and apparatus should support other desirable features such as, inter alia, support for multiple SIM profiles, flexible operation, updates, etc.
More generally however, improved methods and apparatus are needed for secure modification, storage, and execution of access control clients. Techniques for modifying access control client operation are needed to support features such as multiple subscriber access profiles, secure device updating, alternative methods for subscriber service provisioning, etc. Furthermore, due to the sensitive nature of access control and the possibility for surreptitious use and service theft, secure methods for performing such modifications are a chief concern.